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Abstract 

Existing quantum cryptographic schemes are not, as they stand, operable in 
the presence of noise on the quantum communication channel. Although they 
become operable if they are supplemented by classical privacy-amplification 
techniques, the resulting schemes are difficult to analyse and have not been 
proved secure. We introduce the concept of quantum privacy amplification 
and a cryptographic scheme incorporating it which is provably secure over 
a noisy channel. The scheme uses an 'entanglement purification' procedure 
which, because it requires only a few quantum Controlled-Not and single- 
qubit operations, could be implemented using technology that is currently 
being developed. The scheme allows an arbitrarily small bound to be placed 
on the information that any eavesdropper may extract from the encrypted 
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Quantum cryptography [1-3] allows two parties (traditionally known as Alice and Bob) 
to establish a secure random cryptographic key if, firstly, they have access to a quantum 
communication channel, and secondly, they can exchange classical public messages which can 
be monitored but not altered by an eavesdropper (Eve). Using such a key, a secure message of 
equal length can be transmitted over the classical channel. However, the security of quantum 
cryptography has so far been proved only for the idealised case where the quantum channel, 
in the absence of eavesdropping, is noiseless. That is because, under existing protocols, Alice 
and Bob detect eavesdropping by performing certain quantum measurements on transmitted 
batches of qubits and then using statistical tests to determine, with any desired degree of 
confidence, that the transmitted qubits are not entangled with any third system such as 
Eve. The problem is that there is in principle no way of distinguishing entanglement with 
an eavesdropper (caused by her measurements) from entanglement with the environment 
caused by innocent noise, some of which is presumably always present. 

This implies that all existing protocols are, strictly speaking, inoperable in the presence 
of noise, since they require the transmission of messages to be suspended whenever an 
eavesdropper (or, therefore, noise) is detected. Conversely, if we want a protocol that is 
secure in the presence of noise, we must find one that allows secure transmission to continue 
even in the presence of eavesdroppers. To this end, one might consider modifying the existing 
protocols by reducing the statistical confidence level at which Ahce and Bob accept a batch 
of qubits. Instead of the astronomically high level envisaged in the idealised protocol, they 
would set the level so that they would accept most batches that had encountered a given 
level of noise. They would then have to assume that some of the information in the batch 
was known to an eavesdropper. It seems reasonable that classical privacy amplification [4] 
could then be used to distil, from large numbers of such qubits, a key in whose security one 
could have an astronomically high level of confidence. However, no such scheme has yet been 
proved to be secure. Existing proofs of the security of classical privacy amplification apply 
only to classical communication channels and classical eavesdroppers. They do not cover 
the new eavesdropping strategies that become possible in the quantum case: for instance, 
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causing a quantum ancilla to interact with the encrypted message, storing the ancilla and 
later performing a measurement on it that is chosen according to the data that Ahce and 
Bob exchange pubhcly. 

In this paper we present a protocol that is secure in the presence of noise and an eaves- 
dropper. It uses entanglement-based quantum cryptography [2], but with a new element, 
an 'entanglement purification' procedure. This allows Alice and Bob to generate a pair of 
qubits in a state that is close to a pure, maximally entangled state, and whose entanglement 
with any outside system is arbitrarily low. They can generate this from any supply of pairs 
of qubits in mixed states with non-zero entanglement, even if an eavesdropper has had access 
to those qubits. 

Our procedure - a Quantum Privacy Amplification algorithm - can be performed by 
Alice and Bob at distant locations by a sequence of local operations which are agreed upon 
by communication over a public channel. It is related to the procedure described in [5] , but 
is much more efficient. 

In the idealised theory of entanglement-based quantum cryptography, Alice and Bob 
have a supply of qubit-pairs, each pair being in the pure, maximally entangled state | 0"*"), 
where 



These are the so-called 'Bell states' which form a convenient basis for the state space of a 
qubit-pair. Alice and Bob each have one qubit from each pair. In the presence of noise, each 
pair would in general have become entangled with other pairs and with the environment, 
and would be described by a density operator on the space spanned by (1). 

Note that any two qubits that are jointly in a pure state cannot be entangled with any 
third physical object. Therefore any algorithm that delivers qubit-pairs in pure states must 
also have eliminated the entanglement between any of those pairs and any other system. Our 
scheme is based on an iterative quantum algorithm which, if performed with perfect accuracy, 
starting with a collection of qubit-pairs in mixed states, would discard some of them and leave 
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the remaining ones in states converging to | 0+) (0+ | . If (as must be the case reahstically) 
the algorithm is performed imperfectly, the density operator of the pairs remaining after 
each iteration will not converge on | 0+) (0"'" |, but will fluctuate in a neighbourhood of 
it. However, we shall argue that the degree of entanglement with any eavesdropper may 
nevertheless continue to fall, and can be brought to an arbitrary low value even though the 
purification to | 0^) (0'*' | remains imperfect. 

Our first departure from existing quantum cryptographic schemes is to assume that Eve 
does interact with all the qubits that are transmitted or received by either Alice or Bob. 
Indeed we analyse the scenario that is most favourable for eavesdropping, namely where Eve 
herself is allowed to prepare all the qubit pairs that Alice and Bob will subsequently use 
for cryptography. Any realistic situation would also involve environmental noise that is not 
under Eve's control, but this may be treated as a special case in which Eve is not using the 
full information available to her. 

Suppose, then, that Eve has prepared two qubit pairs in some manner of her own choos- 
ing, and sends one qubit from each pair to each of Alice and Bob. Let the density operators 
of the two pairs be p and p' respectively. Alice performs a unitary operation 

|0> ^4^(|0)-i|l)) (2) 
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on each of her two qubits; Bob performs the inverse operation 



1) ^4(|1)-^|0)) (3) 



|0) ^-^(|0)+z|l)) (4) 
|1> ^^(|1)+^|0)) (5) 

on his. If the qubits are spin-| particles and the computation basis is that of the eigenstates 
of the z components of their spins, then the two operations correspond respectively to 
rotations by 7r/2 and — 7r/2 about the x axis. 

Then Ahce and Bob each perform two instances of the quantum Controlled- Not operation 
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control target control target 

I a) \b) — >\a)\a®b) (a,6)e{0,l} (6) 

where one pair (p) comprises the two control qubits and the other one (p') the two target 
qubits [6]. Alice and Bob then measure the target qubits in the computational basis (e.g. 
they measure the z components of the targets' spins). If the outcomes coincide (e.g. both 
spins up or both spins down) they keep the control pair for the next round, and discard the 
target pair. If the outcomes do not coincide, both pairs are discarded. 

To see the effect of this procedure, consider the case in which each pair is in state p 
(although the joint state of the two pairs need not be the simple product p (8) p as they may 
be entangled with each other). This case will suffice for our applications. We express the 
density operator p in the Bell basis {| 0"*") , | , | , | 4>~)} and denote by {A, B, C, D} 
the diagonal elements in that basis. Note that the first diagonal element A — (0+ | p | 
which we call the 'fidelity', is the probabiHty that the qubit would pass a test for being in 
the state | 0"*") . Thus we wish to drive the fidelity to 1 (which implies that the other three 
diagonal elements go to 0). Now, in the case where the control qubits are retained, their 
density operator p~ will have diagonal elements {A, B, C, D} which depend on average only 
on the diagonal elements of p: 

A 



B 



N 

2CD 
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where = {A + B)"^ + {C + D)"^ is the probabifity that Alice and Bob obtain coinciding 
outcomes in the measurements on the target pair. That is, if the procedure is carried out 
many times on an ensemble of such pairs of pairs, then A,B,C and D give the average 
diagonal entries of the surviving pairs. Note that if the average A is driven to 1 then each 
of the surviving pairs must individually approach the pure state | 0+) (^"^ | . 

In passing we note that if the two input pairs have different states p and p' with diagonal 
elements {^4, B, C, D} and {A', B' , C", D'} respectively, then the retained control pairs will, 
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on average, have diagonal elements given by: 

A 
B 
C 

b 



AA'+BB' 

N 

C'D+CD' 
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CC'+DD' 
N 
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(8) 



where N ^{A + B){A' + B') + (C + D){C' + which generalises (7). 

Suppose that Eve has provided L pairs of qubits, with density operators pi, p2, ■■■iPl- 
(This is not to say that their overall density operator is p\® P2® ■■■ ® Pl^ for Eve may 
have prepared them in an entangled state.) Alice and Bob know nothing about the state 
preparation, they are simply presented with an ensemble of L pairs of qubits from which 
they can (if they wish) estimate the average density operator pave- 
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which characterises the ensemble of pairs. 

Alice and Bob now select pairs at random from the ensemble of provided pairs and apply 
the QPA procedure to pairs of these selected pairs. Thus we may set p = Pave in (7) and we 
are in effect studying the properties of the map 
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on the average diagonal elements of density operators (in the Bell basis). {A, B, C, D) in 
(10) gives the average diagonal entries for the states of the surviving pairs i.e. the diagonal 
entries of the average density operator of the ensemble of surviving pairs. Therefore the 
repeated application of the QPA procedure - generating successive ensembles of surviving 
pairs - corresponds to iteration of the map in (10). 

Several interesting properties of this map can be easily verified. For example if at any 
stage the fidelity A exceeds |, then after one more iteration, it still exceeds \. Although 
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A does not necessarily increase monotonically, our target point, A — 1, B — C — D — 0, 
is a fixed point of the map, and is the only fixed point in the region A > |. It is a local 
attractor. We have been unable to obtain a proof that it is also a global attractor in the 
region A > |, but we have verified this by computer simulation. In other words, if we begin 
with pairs whose average fidelity exceeds |, but which are otherwise in an arbitrary state 
containing arbitrary correlations with each other and with an eavesdropper, then the states 
of pairs surviving after successive iterations always converge to the unit-fidelity pure state 
I 0^). Since this is a pure state, none of the surviving pairs is, in the limit, entangled with 
any other system. 

To illustrate the behaviour of the iteration, in Fig.(l) we plot the fidehty as a function 
of the initial fidelity and the number of iterations, in cases where A > ^ and B — C — D 
initially. 

If the procedure were performed only imperfectly, then as we have said, the fidelity would 
approach some value below 1, and would then fiuctuate. However this does not necessarily 
imply an associated level of residual entanglement with the eavesdropper. Let us consider 
more closely what it means to perform the QPA procedure 'imperfectly'. We may at least 
assume that Alice and Bob are capable of performing local computations in secret, and 
therefore that even an imperfect QPA apparatus does not interact with Eve. In other words, 
the perturbing interactions that make each QPA step imperfect are local to Ahce or Bob's 
private domains. (The issue of the security of these private domains is beyond the remit 
of cryptology.) Consider a class of perturbations, which may include both imperfections of 
the measurements and of the quantum logic gates, for which the net effect is as if all the 
QPA steps were performed perfectly, but some local interactions took place before and after 
the steps were performed. Such interactions would reduce the fidelity of the surviving qubit 
pairs, but could not increase their entanglement with the eavesdropper. Indeed they could 
not prevent the elimination of such entanglement in successive QPA steps. In this scenario, 
even though the purification will be limited by the accuracy of the logic gates and detectors, 
the entanglement with the eavesdropper, on which her opportunity to read the key entirely 
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depends, nevertheless becomes arbitrarily small. Specifically, if the procedure is performed 
with moderate accuracy, then her information due to entanglement must fall roughly as if 
the accuracy were perfect. 

The QPA procedure is rather wasteful in terms of discarded particles - at least one half 
of the particles (the ones used as controls) is lost at every iteration. In Fig. 2 we plot the 
efficiency, i.e. the proportion of the initial supply of pairs that remain, after 10 iterations, 
in units of 2~^°, as a function of the initial fidehty for initial states with B — C — D. Still 
the efficiency of our scheme compares favourably with the entanglement purification scheme 
as described in [5] (about 1000 times more efficient for A close to 0.5) and it can be directly 
applied to purify states which are not necessarily of the Werner form [7] . 

The QPA is capable of purifying (or disentanghng) a collection of pairs in any state p 
whose average fidelity with respect to at least one maximally entangled state (i.e. a Bell state 
or a state obtained from a Bell state via local unitary operations) is greater than | (because 
any state of that type can be transformed into | 0+) via local unitary operations [8]). If we 
denote by i3 a class of pure, maximally entangled states (the generalised Bell states) then 
the condition that the state p can be purified using the QPA is 

max((/)|p|0) > ^. (11) 

N.B., this condition is not equivalent to the Horodecki condition [9] characterising mixed 
states which can violate a generahsed Bell inequality (CHSH inequahty [10]). Indeed there 
exist mixed states which satisfy both our condition (11) and the CHSH inequalities. Thus, 
analysis of the QPA reveals a more complete characterisation of non-locality than that given 
by Bell's theorem (c.f. also [11-13]). We hope to elaborate this in a forthcoming paper. 

The practical implementation of the QPA would require efficient quantum Controlled-Not 
gates operating directly on information carriers. Perhaps the most promising implementation 
of gates of this type (in the QPA context) is the one proposed by Turchette et al. [14]. It 
operates on polarised photons and allows the polarisation of the target photon to be rotated 
depending on the polarisation of the control photon. Although the current efficiency of the 
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device is quite low, recent experimental progress in this field raises hopes for a successful 
QPA experiment in the not too distant future. 
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FIGURES 




Fig. 1 . D. Deutsch, Phys. Rev. Lett. 

FIG. 1. Average fidelity as a function of the initial fidelity and the number of iterations. 



12 




INITIAL FIDELITY 



Fig. 2. D. Deutsch, Phys. Rev. Lett. 

FIG. 2. Proportion of purified pairs left by the QPA algorithm as a function of the initial 
fidelity in units of 2~^°. 
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